[Previous] [Next] [Table of Contents]

OpenSSL Support For OpenVMS OSU HTTPD Server.

The following table shows what kinds of SSL certificates do and don't work with the three different types of OSU HTTPD SSL servers.

Each of the following tests outlined in the table were personally executed by me and in between each test the test system was rebooted to wipe all logicals and installed images and OpenSSL and the OSU HTTPD server were recompiled and re-installed from scratch to make sure nothing from the previous installation would corrupt the tests.

By clicking on one of the tests in the table you will get the complete step-by-step method I used to run each test.

512-bit Self-Signed SSL Certificate. 1024-bit Self-Signed SSL Certificate. 512-bit Server Certificate Signed By 512-bit CA Certificate. 512-bit Server Certificate Signed By 1024-bit CA Certificate. 1024-bit Server Certificate Signed By 512-bit CA Certificate. 1024-bit Server Certificate Signed By 1024-bit CA Certificate.
SSL_TASK EXPORT Browser OK, 128-bit NON-EXPORT Browser OK EXPORT Browser OK, 128-bit NON-EXPORT Browser OK EXPORT Browser OK, 128-bit NON-EXPORT Browser OK EXPORT Browser OK, 128-bit NON-EXPORT Browser OK EXPORT Browser OK, 128-bit NON-EXPORT Browser OK EXPORT Browser OK, 128-bit NON-EXPORT Browser OK
SSL_ENGINE EXPORT Browser OK, 128-bit NON-EXPORT Browser OK EXPORT Browser NOT OK, 128-bit NON-EXPORT Browser OK EXPORT Browser OK, 128-bit NON-EXPORT Browser OK EXPORT Browser OK, 128-bit NON-EXPORT Browser OK EXPORT Browser NOT OK, 128-bit NON-EXPORT Browser OK EXPORT Browser NOT OK, 128-bit NON-EXPORT Browser OK
MST SSL EXPORT Browser OK, 128-bit NON-EXPORT Browser OK EXPORT Browser NOT OK, 128-bit NON-EXPORT Browser OK EXPORT Browser OK, 128-bit NON-EXPORT Browser OK EXPORT Browser OK, 128-bit NON-EXPORT Browser OK EXPORT Browser NOT OK, 128-bit NON-EXPORT Browser OK EXPORT Browser NOT OK, 128-bit NON-EXPORT Browser OK

4.1 Building OSU HTTPD SSL_TASK Support.

This assumes that you have done the following.

You will also need the following if you don't have it already.

With that said and done, here are the instructions for building the OSU HTTPD server with SSL support using the SSL_TASK program.

  1. If you don't have the OSU HTTPD server already installed and running you need to unpack the OSU distribution kit somewhere. (For the purpose of this discussion we'll assume you unpacked it in a directory called DISK$WORK:[HTTP_SERVER]).

    If you already have the OSU HTTPD server installed, you are set.

  2. Go to the [.BASE_CODE] directory in the OSU HTTPD distribution.

  3. Unpack the OSU_SSL.ZIP files into your [.BASE_CODE] directory replacing the files.

  4. You need to build the OSU HTTPD server so that it will use the shareable image TCP/IP interface. This is done as follows.

    
    	$ MMS/MACRO=(SHARE_TCP=xxxx)
    
         

    Where the "xxxx" is one of the following.

    
    		CMUTCP		CMU TCP/IP
    
    		MULTINET	Multinet TCP/IP
    
    		TCPWARE		TCPWare TCP/IP
    
    		TWGTCP		Pathway TCP/IP
    
    		UCXTCP		DEC UCX TCP/IP
    
         
  5. When that is done running, you need to compile the TSERVER_SSL.C and SSL_SERVER_DNET.C

    
    	$ CC TSERVER_SSL.C
    
    	$ CC SSL_SERVER_DNET.C
    
         
  6. You now need to link the DECNet SSL server. Go to your OSU [.BASE_CODE] directory and execute the following.

    
    	$ MMK TSERVER_SSL.EXE/FORCE/MACRO=(SSL=SSL_SERVER_DNET)
    
         
  7. If that went well you should have the file TSERVER_SSL.EXE in your OSU [.SYSTEM] directory.

  8. Unpack the updated replacement TSERVER_TCPSHR_INSTALL.COM file and place it in the OSU HTTPD [.SYSTEM] directory.

    If you didn't compile the SSL_TASK.EXE when you built your OpenSSL library, go to the [.OPENSSL-0_9_5A.SSL] directory and use the SSL-LIB.COM script to build it, it accepts the following parameters.

    
         P1:	ALL        Just build everything.
    
    		LIBRARY    Just build the SSL Library
    
    		SSL_TASK   Just build the SSL_TASK.EXE
    
    
    
         P2:	RSAREF     Compile using RSAREF routines.
    
    		NORSAREF   Don't compile using the RSAREF routines.
    
    
    
         P3:	DEBUG      Compile with debug information.
    
    		NODEBUG    Compile without debug information.
    
    
    
         P4:	VAXC       Use the VAXC compiler.
    
    		DECC	   Use the DECC compiler.
    
    		GNUC       Use the GNUC compiler.
    
    
    
         P5:        UCX        Use the UCX TCP/IP routines.
    
    		SOCKETSHR  Use the SOCKETSHR TCP/IP routines.
    
         

    You have to use the same options you originally used when you built the OpenSSL library. You don't have to build the entire SSL library again, just the SSL_TASK.

  9. Copy your SSL server certificate into the OpenSSL SSLCERTS: directory. (you don't have to, but it helps to keep everything together.) and make sure it is readable by whatever account the OSU HTTPD server runs under.

  10. Unpack the updated/upgraded WWWSSL.COM and place it in the root directory of the OSU HTTPD server.

    You might want to look this script over as you can define where you have the SSL_TASK.EXE and your SSL certificate if you choose not to place them in the SSLEXE: and SSLCERTS: directory as well defining an alternate location for the WWWSSL.LOG file.

  11. Now you just need to startup the HTTPD server on port 80 and 443 like the following.

    
    	$ @DISK$WORK:[HTTP_SERVER.SYSTEM]HTTP_STARTUP.COM HTTP_SERVER -
    
               DISK$WORK:[HTTP_LOGS]HTTP_ERROR.LOG -
    
               DISK$WORK:[HTTP_SERVER.SYSTEM]HTTP_MAIN.CONF -
    
               80 443
    
         

    And if the server starts up correctly, you should be able to get a secure connection using "https".


4.2 Building OSU HTTPD SSL_ENGINE Support.

This documentation on intergrating OpenSSL into the OSU HTTPD SSL_ENGINE was written and tested for OSU HTTPD v3.5 and later. If you have a previous version of OSU HTTPD, the steps should be similar and will help you in getting the SSL_ENGINE compiled, but some of the essential files are only included in OSU v3.5 and later so your milage may vary and we recommend upgrading to OSU v3.5 to solve any potential problems.

This assumes that you have done the following.

You will also need the following if you don't have it already.

With that said and done, here are the instructions for building the OSU HTTPD server with SSL support using the SSL_ENGINE program.

  1. If you don't have the OSU HTTPD server already installed and running you need to unpack the OSU distribution kit somewhere. (For the purpose of this discussion we'll assume you unpacked it in a directory called DISK$WORK:[HTTP_SERVER]).

    If you already have the OSU HTTPD server installed, you are set.

  2. Go to the [.BASE_CODE] directory in the OSU HTTPD distribution.

  3. Unpack the OSU_SSL.ZIP files into your [.BASE_CODE] directory replacing the files.

  4. You need to build the OSU HTTPD server so that it will use the shareable image TCP/IP interface. This is done as follows.

    
    	$ MMS/MACRO=(SHARE_TCP=xxxx)
    
         

    Where the "xxxx" is one of the following.

    
    		CMUTCP		CMU TCP/IP
    
    		MULTINET	Multinet TCP/IP
    
    		TCPWARE		TCPWare TCP/IP
    
    		TWGTCP		Pathway TCP/IP
    
    		UCXTCP		DEC UCX TCP/IP
    
         
  5. When that is done running, you need to compile the TSERVER_SSL.C, SSL_SERVER_DNET.C and SSL_ENGINE.EXE

    
    	$ CC TSERVER_SSL.C
    
    	$ CC SSL_SERVER_DNET.C
    
    	$ CC SSL_ENGINE.C
    
         
  6. Now, you need to look at the BSS_MST.C file in an editor. If you see the line #include "cryptlib.h" you need to remove that line and replace it with #include "bio.h"

    With that done, you can save the file and exit the editor.

  7. If you compiled OpenSSL with RSAREF support, you need to edit the SSL_ENGINE.OPT and SSL_LIBRARIES.OPT file and uncomment the line for the LIBRSAGLUE library.

  8. You now need to compile the SSL_THREADED.C and BSS_MST.C files as follows.

    
    	$ CC/STANDARD=ANSI89/PREFIX=ALL/WARNING=DISABLE=DOLLARID -
    
                /INCLUDE=SSLINCLUDE:/DEFINE=("FLAT_INC=1","VMS=1") -
    
    	    SSL_THREADED.C
    
    	$ CC/STANDARD=ANSI89/PREFIX=ALL/WARNING=DISABLE=DOLLARID -
    
                /INCLUDE=SSLINCLUDE:/DEFINE=("FLAT_INC=1","VMS=1") -
    
    	    BSS_MST.C
    
         
  9. Link the SSL_ENGINE.EXE with the following command.

    
    	$ LINK/NOTRACEBACK/EXE=SSLEXE:SSL_ENGINE.EXE SSL_ENGINE.OPT/OPT
    
         

    If all went well, you should have SSL_ENGINE.EXE in your SSLEXE: directory. You need to make sure the protection on the SSLEXE:SSL_ENGINE.EXE file is set to (SYSTEM:RWED,OWNER:RWED,GROUP,WORLD:RE) so execute the following to make sure.

    
    	$ SET FILE SSLEXE:SSL_ENGINE.EXE/PROTECTION=(SYSTEM:RWED,OWNER:RWED,GROUP,WORLD:RE)
    
         
  10. The SSL_ENGINE needs to be installed with SYSNAM privs. Install the SSLEXE:SSL_ENGINE.EXE as follows.

    
    	$ INSTALL ADD SSLEXE:SSL_ENGINE.EXE/PRIVS=(SYSNAM)
    
         

    I would advise adding the above to your OSU startup script so it is executed when the server is started up.

  11. You now need to link the DECNet SSL server. Go to your OSU [.BASE_CODE] directory and execute the following.

    
    	$ MMK TSERVER_SSL.EXE/FORCE/MACRO=(SSL=SSL_SERVER_DNET)
    
         
  12. If that went well you should have the file TSERVER_SSL.EXE in your OSU [.SYSTEM] directory.

  13. Unpack the updated replacement TSERVER_TCPSHR_INSTALL.COM file and place it in the OSU HTTPD [.SYSTEM] directory.

  14. Copy your SSL server certificate into the OpenSSL SSLCERTS: directory. (you don't have to, but it helps to keep everything together.) and make sure it is readable by whatever account the OSU HTTPD server runs under.

  15. Unpack the updated/upgraded WWWSSL.COM and place it in the root directory of the OSU HTTPD server.

    You might want to look this script over as you can define where you have the SSL_ENGINE.EXE and your SSL certificate if you choose not to place them in the SSLEXE: and SSLCERTS: directory as well defining an alternate location for the WWWSSL.LOG file.

  16. Now you just need to startup the HTTPD server on port 80 and 443 like the following.

    
    	$ @DISK$WORK:[HTTP_SERVER.SYSTEM]HTTP_STARTUP.COM HTTP_SERVER -
    
               DISK$WORK:[HTTP_LOGS]HTTP_ERROR.LOG -
    
               DISK$WORK:[HTTP_SERVER.SYSTEM]HTTP_MAIN.CONF -
    
               80 443
    
         

    And if the server starts up correctly, you should be able to get a secure connection using "https".


4.3 Building OSU HTTPD MST SSL Support.

This documentation on intergrating OpenSSL into the OSU HTTPD MST SSL server and was written and tested for OSU HTTPD v3.5 and later. If you have a previous version of OSU HTTPD, the steps should be similar and will help you in getting the MST SSL server compiled, but some of the essential files are only included in OSU v3.5 and later so your milage may vary and we recommend upgrading to OSU v3.5 to solve any potential problems.

This assumes that you have done the following.

You will also need the following if you don't have it already.

With that said and done, here are the instructions for building the OSU HTTPD server with MST SSL server support.

  1. If you don't have the OSU HTTPD server already installed and running you need to unpack the OSU distribution kit somewhere. (For the purpose of this discussion we'll assume you unpacked it in a directory called DISK$WORK:[HTTP_SERVER]).

    If you already have the OSU HTTPD server installed, you are set.

  2. Go to the [.BASE_CODE] directory in the OSU HTTPD distribution.

  3. Unpack the OSU_SSL.ZIP file into your [.BASE_CODE] directory replacing the files.

  4. You need to build the OSU HTTPD server so that it will use the shareable image TCP/IP interface. This is done as follows.

    
    	$ MMS/MACRO=(SHARE_TCP=xxxx)
    
         

    Where the "xxxx" is one of the following.

    
    		CMUTCP		CMU TCP/IP
    
    		MULTINET	Multinet TCP/IP
    
    		TCPWARE		TCPWare TCP/IP
    
    		TWGTCP		Pathway TCP/IP
    
    		UCXTCP		DEC UCX TCP/IP
    
         
  5. When that is done running, you need to compile the TSERVER_SSL.C and SSL_SERVER_MST.C

    
    	$ CC TSERVER_SSL.C
    
    	$ CC SSL_SERVER_MST.C
    
         
  6. Now, you need to look at the BSS_MST.C file in an editor. If you see the line #include "cryptlib.h" you need to remove that line and replace it with #include "bio.h"

    With that done, you can save the file and exit the editor.

  7. If you compiled OpenSSL with RSAREF support, you need to edit the SSLSHR_SERVER_MST.OPT and SSL_LIBRARIES.OPT file and uncomment the line for the LIBRSAGLUE library.

  8. You now need to compile the SSL_THREADED.C and BSS_MST.C files as follows.

    
    	$ CC/STANDARD=ANSI89/PREFIX=ALL/WARNING=DISABLE=DOLLARID -
    
                /INCLUDE=SSLINCLUDE:/DEFINE=("FLAT_INC=1","VMS=1") -
    
    	    SSL_THREADED.C
    
    	$ CC/STANDARD=ANSI89/PREFIX=ALL/WARNING=DISABLE=DOLLARID -
    
                /INCLUDE=SSLINCLUDE:/DEFINE=("FLAT_INC=1","VMS=1") -
    
    	    BSS_MST.C
    
         
  9. You now need to link the MST SSL server. Go to your OSU [.BASE_CODE] directory and execute the following.

    
    	$ MMK TSERVER_SSL.EXE/FORCE/MACRO=(SSL=SSL_SERVER_MST)
    
         
  10. If that went well you should have the file TSERVER_SSL.EXE in your OSU [.SYSTEM] directory.

  11. Unpack the updated replacement TSERVER_TCPSHR_INSTALL.COM file and place it in the OSU HTTPD [.SYSTEM] directory.

  12. Copy your SSL server certificate into the OpenSSL SSLCERTS: directory. (you don't have to, but it helps to keep everything together.) and make sure it is readable by whatever account the OSU HTTPD server runs under.

  13. You now need to define the following logicals as /SYSTEM/EXECto customize your installation of the MST SSL server.

    
    	WWWSSL_MST_THREAD_LIMIT  :  The Maximum Number Of SSL Threads Allowd.
    
    				    (Default is 10)
    
    
    
    	WWWSSL_MST_STACK_SIZE	 :  The Stack Size For SSL Server Threads.
    
    				    (Default is 60000)
    
    
    
    	WWWSSL_MST_QUEUE_FLAG	 :  Weather Or Not To Wait For Next Available Thread.
    
    				    (TRUE or FALSE value)
    
    
    
    	WWWSSL_MST_CERTIFICATE	 :  Location Of The Server's SSL Certificate.
    
    	WWWSSL_MST_LOGFILE	 :  Location To Put The MST SSL Log File.
    
    	WWWSSL_MST_VERSION	 :  Which versions of SSL To Use 2, 3 or 23
    
    				    (Default is 2)
    
         

    Here's an example...

    
    	$ DEFINE/SYSTEM/EXEC WWWSSL_MST_THREAD_LIMIT 15
    
    	$ DEFINE/SYSTEM/EXEC WWWSSL_MST_STACK_SIZE 90000
    
    	$ DEFINE/SYSTEM/EXEC WWWSSL_MST_QUEUE_SIZE TRUE
    
    	$ DEFINE/SYSTEM/EXEC WWWSSL_MST_CERTIFICATE SSLCERTS:SERVER.PEM
    
    	$ DEFINE/SYSTEM/EXEC WWWSSL_MST_LOGFILE DISK$HTTP:[HTTP_LOGS]SSL_MST.LOG
    
    	$ DEFINE/SYSTEM/EXEC WWWSSL_MST_VERSION 23
    
         

    I recomend putting the defines in your OSU HTTP startup file.

  14. Now you just need to startup the HTTPD server on port 80 and 443 like the following.

    
    	$ @DISK$WORK:[HTTP_SERVER.SYSTEM]HTTP_STARTUP.COM HTTP_SERVER -
    
               DISK$WORK:[HTTP_LOGS]HTTP_ERROR.LOG -
    
               DISK$WORK:[HTTP_SERVER.SYSTEM]HTTP_MAIN.CONF -
    
               80 443
    
         

    And if the server starts up correctly, you should be able to get a secure connection using "https".


[Previous] [Next] [Table of Contents]